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BLOCK CIPHERING SYSTEM, USING PERMUTATIONS TO HIDE THE CORE CIPHERING FUNCTION 
OF EACH ENCRYPTION ROUND 



FIELD OF THE INVENHON 

The invention relates to a method of providing a cascaded signal processing 
function to an execution device in a secure and/or personalized way. The invention also 
relates to a system for providing a cascaded signal processing function to an execution device 
5 in a secuie and/or personalized way. The invention further relates to an execution device for 
executing a cascaded signal processing function provided in a secure and/or personalized 
way. 

B ACKGROXJND OF THE INVENTION 

10 The Intemet provides users with convenient and ubiquitous access to digital 

content Because of the potential of the Intemet as a powerfid distribution channel, many CE 
products strive to interoperate wi& the PC platform — the predonunant portal to the Internet 
The use of the Intemet as a distribution medium for copyrighted content creates the 
compelling challenge to secure the interests of the content provider. In particular it is 

1 5 required to warrant the copyrights and business models of the content providers. Control of 
the playback software is one way to enforce the interests of the content owner including the 
terms and conditions under which the content may be used. In particular for flie PC platform, 
the user must be assumed to have complete control to the hardware and software that 
provides access to the content and unlimited amount of time and resources to attack and 

20 bypass any content protection mechanisms. As a consequence, content providers must deliver 
content to legitimate users across a hostile network to a community where not all users can be 
trusted. The general approach in digital rights management for protected content distributed 
to PCs is to encrypt the digital content (for instance using DBS) and to store the decryption 
key (or the 'license") in a so-called License database on the PC's hard disk. Digital content 

25 on the PC is typically rendered using media players, such as Microsoft's Media Player, 
Real's RealOne Player, Apple's QuickTime player. Such players can load for a specific 
content format a xespective plug-in for perfonning the fonnat*-specific decoding. Those 
content formats may include AVI, DV, Motion JPEG, MPEG-1, MPEG-2, MPEG-4, WMV, 
Audio CD, MPS, WMA, WAV, AIFF/AIFC, AU, ete. The player and plug-in structure is 
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iUustrated in Fig. 1, y/biBre a media player 100 includes a core player 100 and several format- 
specific plug-ins (shovm are plug-ins 120, 122 and 124). The core player 100 may, for 
example, provide the user inteifece for controlling the player. Each plug-in includes a 
respective decoder. It may send the decoded content directly to rendering HW/SW, such as a 
sound-card, or pass it on to the core player 100 for further processing. For secure rendering, a 
secure plug-in is used that not only decodes the content in Ihe specific format but also 
decrypts the content This is illustrated in Fig.2, where the encrypted content is first fed 
through a deeryptor 230 and next the decrypted content is fed trough the format-specific 
decoder 220. The deeryptor 230 may receive a decryption key/license fiom a Ucense database 



210. 

The largest vuhierabiUty of digital rights management relying on encryption is 
file key distribution and handling. For playback, a software player has to retrieve a decryption 
key fiom the Ucense database, it then has to store this decryption key somewhere in memory 
for the decryption of the encrypted content This leaves an attacker two options for an attack 
of the key handUng m a software player: firstly, reverse engineering of the Ucense database 
access fimction could resuh in a black box software (i.e., the attacker does not have to 
understand the internal workmgs of the software function) c^le of retrieving asset keys 
fiom aU Ucense databases. Secondly, by observation of the accesses to memory used during 
content deayptirai it is possible to retrieve the asset ksy. 

Typically digital ri^ managem«it systems use an encryption technique 
based on block ciphers that process tiie data stream m blocks usmg a sequence of 
encryption/decryption steps, referred to as rounds. The output of /-l*^ round is the input of the 

round. Thus, for a system witii N rounds the algorithm can be described as a fimction 
cascade A «» • • ■ » / W , where fimction /, represents Ihe fimctionaUly of round f . Most block 
algorithms are Feistel networks. In such networks, the input data block x of even length n is 
divided m two halves of lengtti ^ , usuaUy referred to as I and it So, tiie mput a: fed to tiie 
first round is given as jc = (l^,i?o). The round (i>0) performs the fimction /.where /, is 
defined as 

is a subkey used m the i* round and F is an arbitary round function. 
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SUMMARY OF THE INVENTION 

It is am oljject of the invention to provide a better protection of cascaded signal 

processing functimis sudi as Feistel networks. 

To meet the object of the invention, a method of providmg a digital signal 
5 processing function /to an executing device man obfuscated form, w^ere the function 

/ includes a function cascade including a pluraHty of signal processing functions f, , 
l^i^N,fot processing a digital signal hspm xto yield a digital signal output (for 
example.FC,(x)s/,o...oy;(^)), includes: 

selecting a set of 2N invertible permutations p„\<>i<>2N ; 
10 calculating a set of iNT functions g, , y^bssto g, is fanctionally equivalent to 

calculating a set of functions A^.vi^ere^ is functionally equivalent to 

equipping the executing device with an execution device function cascade that 
15 includes ''K^y^.i °hf,.i °...<>yi » where jFi,..-. are fimction 

parameters(for exanq)le,££^(>',,...,j'iv) syj, o o o,..o J/,), 

providing the functions gi,...,gn to the executing device; and 
in the executing device, applying the execution device function cascade to the 
functions gi,...,gif (for exanq)le, J^D^(^^,...,gAr))• 
20 According to the invention the constituent functions f, are provided in an 
caicapsulated form as g, , where g, is functionally equivalent to p^of^o p^_^ ,fotl^i^N. 
The functions used for the raicapsulation are also hidden by being supplied in the form of 
h, which is a multipUed version of o p^_^ , for 2 ^ / ^ iV^ . By executing the functions g, 
and A, in the ececution device in an interleaved manner (as for example is illustrated m Fig.4) 
25 the functionality of the function cascade is achieved vvithout /, bemg directly recognizable. 
In particular, if f, represents a round function of a Feistel cipher, the round key that is 
embedded in the round function is not directly recognizable. The obfuscated delivery of /, 
increases security. The execution function device cascade may form the core functionality of 
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a media player, where the set gi^^.^tgn enables the player to execute a function cascade 

containing up to and including . 

The dependent claims 2 and 3 show two respective alternative embodiments 
for protecting the (functional) beginning of the function cascade. In the embodiment of claim 

2, the execution device function cascade starts with p^^ , for example 

^20^i»---»^iv) = J'iv"*^/y**J^i/-i°Vi^---^7i°Pr^- Ap^^ gi,...,gif. gives asa 

functional start of the function sequence executed in the device: 

execution device explicitly executes . In the embodiment of claim 3» security is increased 
by extending the function cascade with a starting function /q Hist aids in hiding p^^ . The 
function cascade may, for example, be FC2 (x) - fj^o^^^o f^o f^{x) . The execution device 
function cascade starts with a function , for 

example£i)30/,,.,.,j;^) = ;^^o/f^oy^_^jo/ij^_jO..^ ,where5i is functionally equivalent 

to p^^ o , Since only represents p^^ in a fomi multiplied with , p7^ can not be 

retrieved from the execution device in a direct way such as reading certain memory locations. 
Preferably, is a global secret 

The dependent claims 4 and 5 show two respective alternative embodiments 
for protecting the (functionally) ending of the function cascade in a manner analogous to 
claims 2 and 3 

According to the measure of the dependent claim 6, the chosen sequence of 
permutations /?, is unique for the device. In this way, the function cascade is siq>plied to the 

execution device not only in an obfuscated form but also in a personalized form* For 
example, if the function cascade represents a Feistel cipher with embedded decryption key, 
cryptanalytic or brute force attacks may result in obtaining the black box functionality of 
5^, , . . . , g . This broken functionality would then only work in combination with the 

corresponding execution device function cascade and not with any other execution device. 
This significantiy limits the impact of a successful attack. 

According to the measure of the dependent claim 7, the execution device 
function cascade is embedded in a program, for example in the form of a media player or a 
plug-in for a media player. The execution device is thus provided with secure, personalized 
software. 
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According to the measure of the dependent claim 8, the functions 
g^p...»^j^foxmapliig-in for the program. If the program itself is a plug-in, then the functions 
ft 9 - . • » J/ are in effect a plug-in for the plug-iiL As an alternative, according to the measure 
of the dependent claim 9, the functions ft » . * • » may be embedded in the same program as 

5 the execution device Amotion cascade. 

To meet an object of the invention, a computer program product operative to 
cause a processor in an execution device to execute a digital signal processing function / 
including a function cascade including a plurality of signal processing functions / , where 
1 :S I :S J\r , for processing a digital signal input x to yield a digital signal output (for 
10 example, FC, (x) s/^ fiix)\ by: 

loading an execution device function cascade that 
includes y^f oh^ oy^^^ oh^^^ o.,.oj;j, where y^ y^ are function parameters, 

loading a set of functions gi).--»^//; 

applying the execution device function cascade to the set of functions 
15 ft,.. .,g^; where: 

' gf is functionally equivalent to ^fi^ P2i~i7^ot \^i<N\ 

is functionally equivalent to pJ/Li«/?2/-2 2^i<JV;and 
/7, is an invertible permutation, for 1 ^ i' ^ 2N . 

To meet an object of the invention, a method of providing a digital signal 
20 processing function / to a plurality of executing devices, each identified by a unique index 
7 , in an obfuscated, anonymous form; the function / including a function cascade including 
a plurality of signal processiog functions , where 1 :< i ^ i\r , for processing a digital signal 
input X to yield a digital signal output (for example, FC,(x)s/^o...o/;(x)), includes: 

selecting a set of 2N invertible permutations Pi , where \<.i^2N ; 
25 calculating a set of iST functions ft , where ft is functionally equivalent to 

selecting for each device J a corresponding set and/or sequence of 
2N invertible permutations Pjj , that is unique for the device and/or a user of the device; 
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calculating for each executing device j a corresponding set of iV^ - 1 
functions^ , , where h is functionally equivalent to pX2,-i <> /^^.2i~2 for 2 ^ i ^ iST ; 

equipping each executing device j with a respective execution device function 
cascade JED,(;^i,..-,yAr)that includes jy^,^ oh^^ oy^^^ ""^j^^x J'l ; 
S equipping each executing device j with a respective loader function 

loaderj{x^,...,x^) = ((,4 ^rj^y^^Jjj, ox^ where/,^ is functionally equivalent to 

J7j^ o mdtj^ is functionally equivalent to pj^^f ^ ° j?7.2i-i 5 

providing to the executing device the functions gw^^gN ' 
in the executing device, executing ED^ {loader j (^19 ...» ^i/)) » 

10 The functions f, are obfuscated in tiie form of the functions gi^.^.^g^ intiie 

same way as described for claim 1. The functions gx^.^.^ga ^ the same for each device and 
can be seen as corresponding to one de&ult/anonymous device. The execution devices are 
equipped with a device specific ("personalized*') execution device cascade. A device specific 
loader function is used to convert the respective anonymous functions to corresponding 

IS device specific functions that can be fed to the execution device cascade. The loader function 
uses conversion Amotions Ij^ and r^^ that are based on a set/sequence of permutations 

that are not revealed. 

According to the measure of the dependent claim 12, the functions can be 

supplied to all devices in a same way, for example, using broadcasting or on a storage 
20 medium, such as a CD-ROM or DVD. 

These and other aspects of the invention are apparent fiom and vdll be 
elucidated with refaence to the embodiments descmbed hereinafter. 

BRIEF DESCRIPTION OF THE DRAWINGS 
25 In the drawings: 

Fig. 1 shows a block diagram of a prior art plug-in based decoding; 

Fig.2 shows a block diagram of a prior art based decryption; 

Fig.3 shows a block diagram of a prior art integrated decryption/decoding 

system; 

30 Fig.4 shows the obfuscating according to the invention; 

Fig.S shows a simple example of obfiiscation; 
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Fig.6 shows a block fftagram of a system according to the invention; 
Fig.7 shows a further embodiment of a system according to the invention; 
Fig.8 illustrates anonymous obfuscadon according to the invention; and 
Fig.9 illustrates an alternative embodiment for anonymous obfuscation. 

5 

DETAILED DESCRIPTION OF THE PREFERRED mffiODIMENT 

Fig.3 shows a block diagram of prior art system in which the invention may be 
employed. In the example of Fig.3 content (typically Audio and/or video content) is 
distributed on a medium 310. The medium may be the same for each player. The mediimi 

10 may be of any suitable type, e.g. audio CD, DVD» solid state, etc. The content on the medium 
is copy protected, preferably by being encrypted under using an encryption algorithm, such 
as a Feistel cipher. The storage medium may include information relating the decryption key. 
Alternatively, the storage medium may include information 3 12 (such as an identifier) that 
enables the player to retrieve the information, for example by downloading it from a server in 

IS the IntemeL The decryption key is created in a secure module 320 by using a key-specific 
key 322 and the information 312 to calculate 324 the decryption key 326. The decryption key 
is the received 332 in a second module 330. The second module 330 decrypts 334, decodes 
336 and renders 338 the content 314 of the medium 310. 

Fig.4 illustrates tibie mediod according to tiie invention. A digital signal 

20 processing function/is provided to an executing device in an obfijscated form. The Amotion/ 
includes a Amotion cascade including a plurality of signal processing functions/, l^i^N, 
For example the core of the fimction cascade may be formed by (x)^f^o**'of^(x)At 

should be noted that here the conventional mathematical notation is used: 

8 /W = S (/(^)) • ^ principle, the function cascade may be any digital signal processing 

25 function. In a preferred embodiment the function cascade includes a cipher. For example, the 
function/ may represent the ^ round (>0) of a Feistel cipher. In such a case,/ is defined as: 

where iC, is a subkey used in the roimd and F is an arbitrary round function. 

According to the invention, a set of 2iSr invertible permutations Pi, 1 < i < 2N 
30 is selected. Next, a set of iST functions g, is calciilated, where g, is functionally equivalent to 

P21 0/0 pj^j , for 1 < / ^ . In this context with functionally equivalent is meant that if g, is 

applied to a same input (e.g. x) the same outcome is achieved as when pj/ 0/0 p^^^^ is 
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applied to that input, for each allowed value of the input The composite functions p^/ > 
and ^® separately visible* g, provides the black box functioiiality of of^o p^^^ . 
Fig. S illusbates this approach for very simple one-dimensional functions. In this example, 

P4(x)=^^;p:\x) = x^;P3(x) =|; A '(x) = ixi^x) = a:+3 . Thus 

5 g2{x)^p;'of^op,ix)^p;'of^(j,^ix))=p;'of^i^^ 

known from the field of computer compiler building how ihe black box functionality of 
p^of^o ^2,^, can be achieved using so-called partial evaluation. Cheq[)ter 1 "Partial 

Evaluation and Automatic Program Generation" by N*D. Jones, C.K. Gomard, and P. Sestoft 
describes the concept of partial evalmtion. This will not be described in more detail here. It 
1 0 will be appreciated that the digital signal input x is a mxilti-dimensional parameter, for 

example of 64 or 128 bit block/vector, to be able to perform a useful permutation. According 
to the invention, a set of N-l functions/;^ is calculated, where /i^ is functionally equivalent to 

PtI'I ^ >foT 2<i<N. Using the simple example of Fig.5, 

fhOO = A * o p2(x) = 3 • P2ix);h3ix) = p;^ o p^(pc) = pJ^CVx) . Using these definitions, part of 
IS the execution device cascade that hides would be: 

= iff (Vx )) o ix) + 3)^ = pl^ (^/cS(5+3?) = Pl^ iP2 W + 3) . It can be observed 
that this is mdeed functionally equivalent to pj^ ® /2 P2 W • Thus, the executing device 
that has executed this cascade has executed without having explicit kaowledge of . 

20 In a further example, Ar=2, and fi md^ are each evaluated to a respective 

mapping table given by: 

/i:{0->3, l->l,2->6,3->2,4->7,5->5,6->4,7->0,8->8}, 
>i: {0->4, l->l,2->5,3->7,4->6,5->2,6^0,7->8,8^3}. 

In this example^/i is an invertible function that converts a nxmiber between 0 and 8 to a 
25 number between 0 and 8, e.g. value 0 is converted to value 3, value 1 to 1, value 2 to 6, etc. 

The following four respective permutations are used in this example: 

Pi: { 0 -> 5, 1 -> 3, 2 •> 1, 3 o> 7, 4 ^ 0, 5 -> 6, 6 -> 2, 7 -> 8, 8 ^ 4 } 
P2: {0-^8, l-> 6, 2-> 7,3 ->3,4-> 4,5 -> 2,6 ->0,7-> 1,8^5} 
ps: { 0 -> 3, 1 -> 5, 2 -> 7, 3 -> 1 , 4 ^ 6, 5 -> 0, 6 -> 2, 7 -> 8, 8 -> 4 } 
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/74:{0->3,1^0,2^5,3->2,4c>7,5^8,6->l,7o4,8->6} 
For ibis sample the following fhiee inverse permutations are used: 

{0-> 6,1 -.>7,2-> 5,3 ->3,4-> 4,5 -> 8,6 -> 1,7^2, 8->0} 

Pa*: {0->5, 1 ->3,2->6,3->0.4.>8,5->l,6->4,7->2,8->7} 

5 : { 0 -> 1, 1 -> 6, 2 -> 3, 3 -> 0, 4 ->7, 5 .>2, 6 -> 8, 7 -> 4, 8 -> 5 } 

Giving these functions, h^ipc) = p^^ o p2(x) is then given as: 

A2: {0-> 7,1 -> 4,2 -> 2,3 -> 0,4 -> 8,5 -> 6,6 -> 5, 7^3,8 ->1 }. 
For example, maps 0 to 8 and p^^ maps 8 to 7. Thus, hjiO) = p^^ o p2iQ) = 7 . 

Similarly, g^ix) = p^^ of^ o /?j(x)is givenby: 

10 gi: {0->8,l->5,2->7,3^6,4^3,5->4,6->l,7->0,8->2} 

and g2(x)=:/?;*oy20/73(j:)is given by: 

gi: {0->4,l->3,2->5,3->6,4->l,5^7,6<^2,7->0,8->8 } 
The executing device is equipped wift the execution device function cascade 
that includes j^^ o/jjy J o^^ ^ ^.-^^^i > where j^p-.-sj^^y are function parameters. This is 

15 shown in Fig.4 as a sequence of functions /rj/,/7^.p...,^ 410. An exemplary execution 
device function cascade is ED^(y^^...,y^) s oh^ ^yN^i "^^n-x ^---^ J'l • Furthermore, the 

functions Sn provided to the executing device. This is shown in Fig.4 as a 

sequence of functions ^jsr>^jyr-i ^ executing device, the execution device 

function cascade is applied to the functions f 1 . .> g^i/ • This gives, for example, the total 

20 signal processing functionJEDj(gj,...,g^) in the executing device. This function can then be 

applied to the digital signal input x. 

Taking a look at a middle part of the cliain like o o , this gives: 

A+i ""gi ""h = Ptl^x <^/^2i ^Pi' *^i^2M °P2i-i °P2i-2 = ^P2,.2 • Th© S^st and least term 

of this expression will be eliminated by the respective g terms. The total outcome is that the 
25 executing device executes a fimction that includes the fimction ca^ o...o^(x) without 

having access to any of the functions f^. These functions are thus obfuscated. 

In preferred embodiments, options are given for dealing with the beginning 
and ending of the chain. Without any further measures, the resulting total signal processing 
function in the executing device may be ££\(gi,...,gjy) s /?2]v-i ^/n ^**"^f\ix)o p^ . For 
30 example, the term p\ can be eliminated by using an execution device function cascade that 
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includes o oy^^^ oh^^^ ^..•^^J'l A"* • For 

example,£:/?2(j'i»---»J'i/)^J'jv°*i*r°J'iy-i^ Pi^ is kept 

secure in the executing device. A preferred way of doing this is to extend the function 
cascade with a further signal processing function^, 
5 ( for example, FCj (x) s y]^ o • • . o ^ o (jc) ), The execution device function cascade then 

includes y^ ^^N'^yN-i ^^//-i ^'•••^^J'l » for example 

{ED^(y^^...^yi^)^y^ ^hj^oy^^ o/i^_, o,..oy^ oS^ ) , where Si is ftmctionally equivalent 
topi^ of^.Jn this way the individual terms p^^ and fo need not be revealed, but only the 

multiplicated form/^'^ o exists. Preferably,^^ is a global secret, i.e. known to tiie parties 

1 0 that need to known it but not distributed any furlher. Global secrets in itself are known and 
ways of commumcating global secretes in a secure way are also Icnown and will not be 
discussed here any further. 

In a corresponding way, measures can be taken for dealing with the term 

PzU'-i * example, the execution device function cascade may include 

better jprotect p2N » the function cascade may end with a further signal processing function 
fnf^u (for example, FC^ix) s f^^^^ /Jy W )• The execution device function cascade 

then includes jSj oyj^ oh^ ^^n-x 

(e.g., ED^(yyy...^y^)^S^ oy^ oAjy where iSj is functionally equivalent 

Fig.6 illustrates a system in which the invention may be employed. The system 
600 includes a server 610 and at least one executing device 620. The server may be 
implemented on a conventional computer platform, for example on a platform used as a 
server, such as a web server, or file server. The server includes a processor 612. The 
25 processor 612 is operated under control of a program. The program may be permanentiy 
embedded in the processor in an embedded storage, like embedded ROM, but may also be 
loaded £com a background storage, such as a hard disk (not shown). Under control of the 
program, the processor 612: 

• selects the set of 2JV' invertible permutations , 1 ^ i ^ 2N ; 
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• calculates the set of iSr functions where is functionally equivalent to 

• calculates the set of iV-1 functions , where is fiinctionally equivalent to 

5 The permutations may be selected (e.g. randomly or pseudo-randomly) chosen fiom a very 
large set of permutations that may be stored ia a (preferably secure) storage (not shown). The 
server may also use a suitable program to generate the permutations. It is well-known how to 
create invertible permutations and this will not be described here any further. 

Additionally, the server uicludes means 614 for equipping the executing 
1 0 device with an execution device function cascade that includes y^^h^fO y^^^ o j <> . . - « j^i , 

v*iere j/^. . j;^ are the function parameters. The server may do this in any suitable form. For 

example, in a factory the terms A, may be stored in a storage module of the executing device 
during the manufecturing of the executing device 620. Fig.6 shows that the terms are 
downloaded through the Internet 630 directiy to the executing device 620. The server 610 : 
IS also includes means 616 for providing tiie functions .,£rj/ executing device 620. 

The functions g, incorporate the respective functions f, . The ftmctions f, may be chosen 

specifically for the digital signal input x . For example, each video titie may be encrypted 
with a corresponding encryption function (e.g. using a same cipher but with a content specific 
key). To this end, the server 610 may also include the software for controlling the processor 
20 6 12 to enarypt the content 640 and supply the encrypted content 642 to a distribution 

medium, e.g. for distribution on a storage medium or through a communication medium like 
the Internet. 

The executing device 620 includes means 626 for obtaining the functions 
gif'-'sgif ^om the server 610. These means cooperate with the means 616 of the server and 

23 will not be described further. The executing device 620 fiuther includes a processor 622. The 
processor may be of any suitable type, such as a processor known fiom personal computers 
or an embedded microcontroller. The processor 622 is operated under control of a program. 
The program may be permanentiy embedded in the processor 622 using an embedded 
storage, like embedded ROM, but may also be loaded fiom a background storage, such as a 

30 hard disk (not shown). Under control of the program, the processor 622 loads the execution 
device function cascade and applies the loaded execution device function cascade to the 
functions for example by executing £D, (grp..., ^^). The resultmg signal 
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processing fimction may then be appUed to the signal ii^ut x (e.g. content received from a 
medium). The processor 622 may load the execution device function cascade in any suitable 
form. For example, the cascade may have been pre-stored during mannfecturing in a storage, 
reducmg the loading to a straightforward memory read access. In the example of Fig.6, the 



executing device 62U mciuoes 
cascade), for example, through the Internet 630 or from the medium 650. Sunilarly, the 
executing device 620 may retrieve encrypted content 652 from the medium 650, and decrypt 
this using the processor 622. The processor may also decode the deaypted ccmtent 

Fig.7 shows a preferred embodiment wherein the execution device function 
cascade is provided to the executing device 620 embedded in a software program 710 for 
execution by the processor 622. Same numbers in Fig.7 refers to the same items as used in 
Fig.6. The software program 710 may be a plug-in for a program like a media player. Thus, 
the means 614 of Fig.7 may siqjply this plug-in 710 via the Internet (e.g. item 630 of Fig.7) 
or embed it directly into the executing device 620 during manufacturing. 

In an embodiment, fixe functions ^, are suppUed to the executing 

device 620 in the form of a plug-in for the program 710. In fte case where the program 710 is 
already a plug-in, the functions gi,...,gif are effectively a plug-in for a plug-in. 
Alternatively, the functions gi,...,gM provided to the executing device 620 by 
embedding the functions g„...,5j, in the software program 710 by ^plying the execution 
device function cascade to the function parameters ^„...,gj,. In this way, the program 710 

embeds both the functions h, and g, . 

In an embodiment, each executing device and/or user of the executing device 
is unique and identified by a unique identity (e.g., a unique number/). In the system and 
method according to the invention, it is ensured that die sequences g, and are unique for 
the involved party. This can be achieved by obtaining the unique identity/ of tiie executing 
device and/or user of tiie executing device a respective set of 2iV invertible permutations p, 
that is unique for tiie obtained identity. Sinularly, usmg the same set of permutations, a 
unique sequence of the permutations may be chosen. Both techniques (choosing a different 
set of permutations or a diflEerent sequence of permutations) may be combmed. Preferably, 
the server stores (in a secure way) the unique set/sequence for each unique identity. In tiiis 
way, each software media player in a personal computer can be suppUed witii a unique plug- 
in for decrypting and/or decoding a media titie. The medium it self need not be unique. The 
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encrypted content only depends on the encryption functions, not on the unique set/sequence 
of permutations. By regularly (e,g. at start-up of the media player) checking whether the 
software corresponds to the identity and only executing the software if a match can be 
established it can be ensured that no player software can be executed on a PC to which it does 
S not belong. If inadvertently a hacker manages to obtain the device-specific permutations they 
can only be used on the involved PC, possible also for content protected with a different 
encryption (resulting in di£fo:ent fimctions /, )> but not on difTetent platforms. 

Above a method and system have been described wherein a signal processing 
function cascade is supplied to executing devices in an obfuscated way. For each device the 

10 same set/sequence of permutations may be used or a device-specific set/sequence may be 
used. In the remainder an preferred approach is described for achieving a device-specific 
set/sequence by distributing the signal function cascade ('key') in an obfuscated way Ibat is 
the same for each device and using a conversion routine (loader') that converts the common 
key to a device-specific k^. The ^common key' is created in much the same way as 

1 5 described before. The common key can in principle 'imlock' a reference player or 

anonymous player tiiat, however, in this embodiment is not executed by any actual:executing 
device. As before, the metiiod includes selecting a set of lATinvertible permutations /7|, where 
1 < / ^ 2N and calculating a set ofN functions g, , v^ere is functionally equivalent to 

pi ° ff"^ Pm ^foxl^i^N . Now additionally, the method includes selecting for each 
20 executing device, each identified by a unique index j, a corresponding set and/or sequence of 
2JVinvertible peraiutations , that is umque for the device and/or a user of the device. This 
set is used to provide each device a unique *player'. This unique player is formed by 
calculating for each executing device J a corresponding set ofNA functions hj^ , where hj^ is 

functionaUy equivalent to Pj^^^y o p^^_^ fotl^i^N and equipping each executing device^ 
25 with a respective execution device function cascade EDj (>^i , . . . , ) that 

includes o hj j^ o y^^^ o hjj^^^ © . . . o . This device-specific set hj^ , however, does not match 
the obfuscated function cascade, tiiat can 'unlock' a reference player that uses set ^ . This 
latter set/player set is not made available to any executing device. Instead, the executing 
device^ is equipped with a respective loader function 
30 loaderj{x^,...,x^) = (/^^ o jc, or^.i,-..,/,.7/ °% ^r^^) . where/,,, is fimctionally equivalent to 

""Pii and is functionally equivalent to pji-i"* Py.21-1 • As before, each executing device 
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is provided with the same functions , . . . , g^j^ . The executing device then executes 
EDj(loaderjig^,...ygj^y) . In this formula loader j{g^,...,g^) efiBectively converts the 
anonymous key » . • . > S'at ^ device-specific key that optimally matches die execution 
device function cascade jEI)^(j;p...,j;^), Using die definition that 

g,=Logor,,, Using the definitions given above, this gives 

Sj, = Pj\i ^ P2i "'P^'^fi'' Pii-x ^ ^2/^"* ° Pj:u-i , tiiat can be rewritten as g^^ = pj^^, o / o . 
This is die same as using a device-specific set/sequence of pemiutations, where the device- 
specific set h^^ eliminates the pemiutations. 

10 The concept of using an anonymous obfuscated key and a device-specific 

loader is also illustrated in Fig.8. The anonymous player Pl-R 810 incorporates the functions 
hi. The anonymous player Pl-R can be unlocked by the corresponding key K-R 812 that 
includes the obfuscated signal processing functions / in the form of the set g^ • The 

anonymous player Pl-R is not disclosed to any party. Each party is instead provided with a 
IS uruque, device-specific player, shown are players Pl-1 830 and Pl-2 840. The common key 
K-R is provided to all parties. However, this common key does not match the specific 
players. Therefore, each party is also provided with a device-specific key loader K-L, shown 
are 820 and 825. The loader 820, 825 is used to convert the anonymous key K-R 812 into a 
device-specific key K-j., To fliis end, loader K-Li includes the functions and ry,,. As is 
20 shown in Fig.8, in principle, a device-specific loader is used. As is further illustrated in Fig.9, 
in feet, the loader may be the same, but fed with the device-specific functions 1^^ and r^^ . In 

the example of Fig.9, being fed witfa/|^ and r,^ converts the anonymous key K-R 812 into the 

device-specific key 832 for device 1; being fed with/j^ and r^^ converts the anonymous key 

812 into the key 842 for device 2. The device-specific players 830, 840 are then unlocked 
25 using the device-specific key sets , 832 and 842, respectively. It will be appreciated that in 

these examples, the phrase 'key' and 'player' is interchangeable since two chains of functions 
mtre-lock. The emnple of Fig.4 illustrates both chains as keys. In an analogous way, it could 
also be illustrated as two mterlocking players. 

It will now be understood that the anonymous player 810 (incorporating 
30 g\) may advantageously be provided to each executing device through broadcasting and/or 
distribution on a storage medium with a same content for each executing device simply 
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because this player is the same for each device. Similarly, the digital signal input x to be 
processed by each executing device can be distributed tlirough broadcasting and/or 
distribution on a storage medium vnih a same content for each executing device. The loader- 
specific aspects are preferably provided to executing devicey through a 'one-to-one 
5 communication chaimel' and/or a storage medium with a device-specific content with at least 
one the following sets of corresponding fimctions: hjj, Ijjfit rjj. The *one-to-one 
communication channel* may be achieved in any suitable way. Preferably, the server 
downloads the device-specific information via a secure link (e.g. SSL) using Internet 

As described above, the function / may be a decryption function based on a 
10 Feistel cipher network and each of the signal processing fimctions^/ is a respective Feistel 
decryption round function. In such a case, each of the permutations jp, is preferably a Feistel 
transformer where a function Q operating on a sequential pair <x, y> is a Feistel transformer 

if tiiere exist invertible functions jg, and Qy and Q({x,y)) = (fi, {x),Qy {yfj , where 

Qx (x) ® fi, {y) = fi, ® y) aiid Qy (x) e Qy {y) ^Qy{x®y). If tiiese conditions are met, 

IS the functions / can be optimally hidden. In practice, it can be shown that many such Feistel 
transformers exist, giving ample room for device-specific choices of permutations. The 
definition of tiie Feistel transformer is based on the insight that using the definitions given 

aboveaFeistelround /((A.i,2^^)) = (i2,.,,(Z,.ieF(i?,.p canbeseenas 
= swap o involutaryp , with the definitions swctp (( j:, j;)) = swap (( j/, x)) and 
20 involutaryp {{x^y)) = {x^y © F{x)) . It then holds that swap''^ = swcp and 
involutary'^p = imolutaryp . 

It will be appreciated that the invention also extends to computer programs, 
particularly computer programs on or in a carrier, adapted for putting the invention into 

25 practice. The program may be in the form of source code, object code, a code intermediate 
source and object code such as partially compiled form, or in any other form suitable for use 
in the implementation of the method according to the invention. The carrier be any entity or 
device capable of carrying tiie program. For example, the carrier may include a storage 
mediimi, such as a ROM, for example a CD ROM or a semiconductor ROM, or a magnetic 

30 recording medimn, for example a floppy disc or hard disk. Further the carrier may be a 

transmissible carrier such as an electrical or optical signal that may be conveyed via electrical 
or optical cable or by radio or other means. When the program is embodied in such a signal. 
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the carrier may be constituted by such cable or other device or means. Alternatively, the 
carrier may be an integrated circuit in which the program is embedded, the integrated circuit 
being adapted for performing, or for use in the performance of, the relevant method. 

It should be noted that the above-mentioned embodiments illustrate rather than 
5 lunit the invention, and that those skilled in the art will be able to design many alternative 
embodiments ivithout departing from the scope of the appended claims. In the claims, any 
reference signs placed between parentheses shall not be construed as limiting the claim. Use 
of the verb "comprise** and its conjugations does not exclude the presence of elements or 
st^s other than those stated in a claim. The article *'a" or "an" preceding an element does not 

1 0 exclude the presence of a plurality of such elements. The invention may be implemented by 
means of hardware comprising several distinct elements, and by means of a suitably 
programmed computer. In the device claim enumerating several means, several of these 
means may be embodied by one and the same item of hardware. The mere fact that certain 
measures are recited in mutually diEferent dependent claims does not indicate that a 

IS combination of these measures cannot be used to advantage. 



